Issues with cross-protocol permissions - NFS/SMB/HTTP all to same spot

Hi all -

I've got some problems making a directory tree
transparently accessible via SMB, NFS, and HTTP all at the same time.

I have a Centos 5.X server (shortly to be 6.5) that I
have a directory on that is essentially _the_ main website/directory structure for the home network.

My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.

I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.

What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.

Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-

I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
the NFS users who see it as mounted on /mnt.

I know that in NFS, one requirement is that I have matched UID/GID numbers--
I've adjusted that on the Ubuntu workstation, and made sure
the owner/group is the same.

NFS looks OK and appears to work -
now that I've appropriately chown'ed everything to matching usernames across the board.

Odds are, that just borked HTTP viewing of some pages.
And odds are equally good that now some SMB user
cannot save/edit/view files...

I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
So user apache is trying to access files that are owned/created by other users.

I know in smb.conf I can specify that all files created/edited
should always be a forced user - which would do well to fix the NFS piece, right??

I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
And in any case, so much of the time people are thinking
"make NFS work", without considering how to make HTTP also work, and SMB also work...

I know this is long --
Can anyone give cross-protocol basic thoughts??

thanks...

05-21-2012

mizzle

In CentOS / Red Hat, httpd executes as user 'apache'
I suggest adding whatever the other services execute as, as well as apache to a new group.

Make sure you set the necessary permissions for the group.
If you have SELinux up and enforcing, then good luck having all 3 services, you might have to make some custom policies, which will be a real PITA.

05-21-2012

atreyu

Quote:

Originally Posted by elarion37

Hi all -

I've got some problems making a directory tree
transparently accessible via SMB, NFS, and HTTP all at the same time.

I have a Centos 5.X server (shortly to be 6.5) that I
have a directory on that is essentially _the_ main website/directory structure for the home network.

My home network consists of a mixture of Centos/Ubuntu/XP/Vista/Win7/Android platforms, which all need to access this site, either over SMB, NFS, or HTTP.

I don't have any harsh security requirements in particular, really any family user should be able to fully access any part of the structure and be able to have create/edit/save/delete rights to files.

What's tripping me up is even how to get sane access going for a single username - much less using groups to give the same access.

Writes really don't happen under HTTP, although having some sort of write access for a CMS system would be nice-

I just can't work out what the rights need to be for the Apache user who sees this under DocumentRoot, the various SMB users who access mapped drives on Winders, or
the NFS users who see it as mounted on /mnt.

I know that in NFS, one requirement is that I have matched UID/GID numbers--
I've adjusted that on the Ubuntu workstation, and made sure
the owner/group is the same.

NFS looks OK and appears to work -
now that I've appropriately chown'ed everything to matching usernames across the board.

Odds are, that just borked HTTP viewing of some pages.
And odds are equally good that now some SMB user
cannot save/edit/view files...

I think part of the HTTP problem is that I want it to be transparent to users -- I don't want to force a login to the pages on small children (or non-technical people like SWMBO)
So user apache is trying to access files that are owned/created by other users.

I know in smb.conf I can specify that all files created/edited
should always be a forced user - which would do well to fix the NFS piece, right??

I've tried reading various HOWTOs- but keep running into situtations where YMMV - and I suspect it's because the author's experience was with Xenix/FreeBSD, or was on some older version, etc--
And in any case, so much of the time people are thinking
"make NFS work", without considering how to make HTTP also work, and SMB also work...

I know this is long --
Can anyone give cross-protocol basic thoughts??

thanks...

Hi. This is an interesting problem, one I've thought about doing in my home network. I did a quick, minimal run-thru, and it worked, so I'll post what i did - maybe it will help you.

1. create a group on the linux server, e.g.:

Code:

groupadd family

2. add any users to this group that will be accessing the share via samba, e.g.:

Code:

usermod -a -G family <username>

If you haven't created any samba users before, don't forget to set the passwords using the smbpasswd utility. use it to add a new user like this:

Code:

smbpasswd -a <username>

3. create a directory structure to be shared by the users:

Code:

install -d /data/family -o root -g family -m 0775

this directory will be owned by root, group owned by "family" and have group write permissions (in Linux, anyway).

4. Configure samba: add these lines to the end of /etc/samba/smb.conf:

Code:

[family]
path = /data/family
valid users = @family
writable = yes

5. Configure nfs: add this line to /etc/exports:

Code:

/data/family 192.168.1.0/24(rw,sync)

obviously, substitute your ip subnet for the one given here.

don't forget to re-export the NFS filesystem, e.g.:

Code:

exportfs -rv

6. Configure apache: add a file to /etc/httpd/conf.d/ and call it "family.conf". In it, put:

That should be it. i probably forgot something, though.
My tests showed that I could mount the "family" share in Windows, using the Windows username that is also a samba user in the Linux server. I was able to mount the NFS share from another Linux PC. In a browser I was able to access the directory by going to http://<LINUX_PC_IPADDRESS>/family/ and logging in using either "mom" or "dad". In the case of SMB and NFS, I was able to successfully write to the directory.

hth!

05-31-2012

elarion37

Thanks guys!!!

It may take me another week, but I'll find another of my 'round tuits' and reconfigure things with groups..
I have discovered that I have to change the UID/GID on my existing Centos installs for my account.
They are numbered less than 1000, and Ubuntu 12.04 doesn't like showing all users available to log in, something about lightdm.conf
doesn't like users with UID less than 1000.

So between that and the NFS (in)sanity of having matching UID/GID to solve permissions problems on that side, it's probably going to be "change all the other UID to be higher than 1000" so I can create those users on the Ubuntu box.